Performing
a comprehensive digital forensic examination requires full understandings of
computer operating system (OS). Operating system refers to “a program that
manages all the applications in a computer” (University of Maryland University
College, 2012). OS manages the hardware resources, enables executions of
commands, acts as an interface between hard ware and software, controls the
security of the system and allows sharing of resources and files in the
network. The paper discusses different operating systems as a source of digital
forensic evidences. Each section of digital evidence source discusses filing
systems, tools and techniques helpful forensic examiners, and challenges faced
by investigator. The final section provides comparisons of each source of
evidence in terms of network intrusion, malware installation and Insider file
deletion.
Digital Evidences in Windows
The
following section discusses Windows Operating System (OS) as a source of data
for digital forensic investigation. Over the past three decades Windows
dominated the computer market with its applications in personal computers, Web
browsers and big enterprise hardware and software. After its first release of
Windows 1.0 in 1985, numerous different versions of Microsoft Windows have been
developed, from older versions such as Windows 9x, NT, ME and 2000 to the new
versions like Windows XP, Windows Vista, 7, Windows Server 2003 or 2008. The
latest versions are widely used in home, corporate and government environment (Pittman
& Shaver, 2009). Forensic examiner need to full understand Operating
Systems (OS), file systems and various tools needed to conduct thorough
forensic analysis.
FAT and NTFS file systems
Analyzing
the file systems, examining how directories and folders are structured, and how
data is stored in a computer hard drive helps the digital forensic examiner
learn about the location of a certain file. The Windows operating system
contains a number of locations that can act as a rich source of evidence. Windows
operating systems utilizes four different types of file systems. These are
FAT12, FAT16, FAT32, and NTFS ().In the FAT file system (File Allocation Table)
data is stored in disks in cluster forms which are divided into multiple
sectors. A cluster is composed of one or more sectors. And a sector is a
minimum size that can be written to or read from a disc and is usually 512
bytes (University of Maryland University College, 2012). A variety of digital
forensic tools help the investigator analyses the FAT to reveal the root
directory, FAT folders and data clusters of a hard drive. Viewing the FAT, the
investigator can identify a file in a folder, the cluster (s) it holds, and
clusters a file starts and ends. FAT also helps the investigator identify the
subdirectories that contain file information such as attributes, names, dates,
sizes, and the first cluster of each file on the system. However, the FAT file
system has some shortcomings such as inadequate security, lack of backup
systems, and lesser storage and poor data management (Pittman & Shaver, 2009).
As a result, modern Window systems are using NTFS, a more efficient file
system.
NTFS
(New Technology File System) is an alternate to FAT file systems. The current
version of NTFS has been utilized in Windows XP and later OS releases. From the
digital forensic perspective, understanding the difference between FAT and NTFS
is very important in terms of following features: data storage, data security,
file size and file naming convention (University of Maryland University
College, 2012). NTFS uses a data structure called the Master File Table (MFT)
instead of a file allocation table. MFT contains one record for all files on an
NTFS volume, including one for itself, each with file identifier number (Casey,
2011). This makes access and
organization of data more efficient. Moreover, the MFT field also helps the
forensic examiner in data backup and recovering deleting data. It also an
improved security feature, an access control list (ACL) that governs
read-write-execute access to Windows files and folders.
While
FAT uses only end of file, EOF, markers to specify a file's size, NTFS uses EOF
markers as well as Valid Data Length (VDL) to determine a file's logical size,
the true length of the data as it’s stored in the hard disk. As a result an uninitialized space is created
where data can be stored. An investigator can recover the data in uninitialized
space even if there have been attempts to delete the data. NTFS’ important
characteristics, data backup and deleted-data recovery makes it a preferred
file system in Windows OS for the examiner.
Windows Forensics Tools and Techniques
In order to extract evidences from
windows file system, file-system traces have been widely used. Whenever a user initiates
actions in a system, date-time stamps are placed on a file system. And file-system
traces provide vital information by easily identifying those date-time stamps. Log
files as part of the newest version of Windows provide useful forensic
information. Log files associate the user with date, time and action in a
system (user attribution). In addition to the windows file system traces and
Log files various features of windows are utilized in recovering and analyses
of forensic evidences. Tools from Microsoft itself (and third party tools) are
used to decode password protected and encrypted files and recover data from
suspect’s drive. The Windows Registry contains valuable information to the
forensic investigator. The Registry provides various pieces of information
relating to OS, installed applications, and user access information, their
settings and the privileges the users have to the applications and networks (Mee,
Tryfonas & Sutherland, 2006). A forensic program, REgGen, is used for the
analyses of the registry files stored on windows devices.
Besides of using the features in
Windows, various propriety and open source software tools are used for the
collection and analyses of digital evidences on window-based systems. Helix
runs on Windows as a standard application and used to collect digital evidences
in live or active systems. Pstools suites provide a variety of detailed
information of windows systems, remotely and locally. For instance, Pslist
displays process, CPU, and memory information or thread statistics for all
processes that are presently running on the system. While Psfile shows files
opened remotely, PsLogList dump event log records.
Challenges in Windows Forensics
Forensic
examiner faces several challenges in Windows environment. One of challenge will
be the Encrypted File System (EFS), and products like Microsoft Passport assist
in providing increased security for the Windows environment. However, they can
make the job of the forensic analyst more difficult. Finding information from
Windows file slack and Ram slack needs a lot of efforts by the examiner as they
conceal vital evidences such as files, e-mail, user names and passwords (Wiles
& Reyes, 2007). The absence of comprehensive single source for digital
evidences from Window file systems to Internet Explorer is a great challenge
for corporate investigators. As a result, they have to put back together
information from different sources and apply UNIX techniques to the Windows
environment
Digital Evidences in Macintosh
Apple’s
Macintosh systems are not as popular as Windows systems in the forensic
community. However, due to MacOS user friendliness and quick access to file and
applications, the Macintosh systems are becoming widely used and needed the
attention of forensic examiners. Since
its inception in 1984, various versions of Macintosh computer developed with
its Mac OS X systems.
The File Systems in MacOS
Two
types of hierarchal file systems (HFS) are used on MacOS, namely, HFS and HFS
Plus (improved version). Unlike Windows OS which uses file allocation table,
Mac uses catalog and overflow files. The catalog tree is a database of the
folders and files on a Mac hard drive. The catalog files collect information
such as date-time stamps (date of create, modified, accessed and backup) on
each file and folder. The catalog file records are stored in a B-tree, a simple
database for searches (Casey, 2011). While HFS supports 16-bit processing, the
improved version HFS+ supports 32-bit processing. In addition, HF Plus applies
journaling, helpful for fast recovery in case of power outage or a crash.
Mac Forensic Tools and Techniques
Various tools and techniques assist
the forensic investigator in examining digital evidences in Mac. Mac
File-system traces provides useful information in understanding date-stamp
behavior on the MacOS 9 and MacOS X. Browsers such as Safari, Mozilla Firefox
and Opera are used to trace network activities such as internet traces, Web
activity, e-mail activities and network-storage information. Mac’s Web caches
and plist are also helpful recovering
information about users’ incoming and outgoing emails and accessed web servers.
Furthermore, tools like Norton utilities
and Prosoft Data Rescue can be used to recover deleted files from Macs system (Kokocinski,
A. (2009).
Forensic software, Macintosh
Forensic Suite, with a collection of 26 modules, provides the investigator with
various tools and utilities (Wiles & Reyes, 2007). For instance, one of the
modules in the suite, Directory Scan utility allows the investigator to look
all the files and folders on a Macintosh volume. Another tool in the suite, HeaderBuilder,
makes changing headers easy and shows MD5 Hashes quickly. Another tool called PhantomSearch
allows capturing all the invisible files of a volume.
Challenges in Mac Forensics
One of the challenges in Mac
digital evidence is creating a bitstream copy of a hard drive. One common
approach of copying a hard drive from a mac system is to remove it and connect
it to another computer. It’s also possible to boot Macintosh using CD-ROM
booting. However, hard drives should be disconnected from the system first in
order to avoid accidental alteration of date-time stamps (Kokocinski, 2009). Another challenge in Mac is data recovery.
Due to the complex nature of the b-tree structure of the catalog, deleted file
names do not remain in the file system for long.as a result, it will be
difficult to recover the file names and associated date-time stamps even using
forensic tools like EnCase and FTK.
Tools like Norton utilities and Disk Warrior, or ProSoft Data Rescue are
helpful in file recovery. Some files in MacOS are stored in binary format and
difficult to read. For the Macintosh systems there is a need for more forensic
examination and researches.
Digital Evidences in UNIX
UNIX
started as a free OS in three decades ago. Different types of UNIX developed
since then, both proprietary version (Sun Solaris, IBM’s AIX) and free versions
(Linux, FreeBSD and OpenBSD). UNIX is so powerful that it allows access of
several users and multiple programs simultaneously in one computer. Not only is
an important sources of digital evidences, UNIX also an excellent plat form for
forensic examination. Any digital forensics laboratory has at least one Linux
environment either native or running through a virtual machine product such as VMware
(Steel, 2006). In contrast to the GUI system found in Windows, UNIX uses
command-line functions for execution of instructions.
File Systems in UNIX
The
popular file systems are UFS (UNIX File System), Reiser, ext1, and ext2
(Extended File Systems 2and3). They have much simpler directories, containing
only a list of file names and their associated inode (index node). This simple file structure coupled with the command-line
functions make it easier for the forensic examiners to trace the location of
file names from the root directory to the inode and to individual data blocks
or groups. The library card catalog is analogous to the UNIX file system (Atheide & Casey, 2009).
As
in Windows, UNIX systems allow certain users root access, provided users (and
examiner) have full administrative privileges. Understanding of file allocation
and deletion in UNIX is very important for the examiner. Both the OS and the
file system determine how files are deleted. In the case of ext2, when file is
deleted the inode is returned to the free-inode list of the super block.
Contents are not cleared. On the other hand, in ext3, first inode contents are
cleared and then the inode is returned to the free-inode list. This makes file
recovery easier in ext2 and more difficult in ext3.
Linux/Unix Forensic Techniques and Tools
Linux has several important features
assisting digital acquisition and examinations. To make a bitstream copy of the
source hard drive, examiners often use Helix, a freeware tool. The mainstay of
acquiring digital evidence in UNIX is the use of the /dd command, to create a
copy of a hard drive.
Data can be recovered using File
Carving feature of UNIX, by carving files from any evidence object, unallocated
space or a swap file. Another approach to recover deleted file is to search for
inodes and recover the associated data using icat (Atheide & Casey, 2009). Reviewing log Files is so helpful in UNUX and
provides important information such as commands used activities and system
changes useful for reconstructing events and tracking down offenders. File
system traces analyses is very useful as any activity can make an impression on
UNIX system. For instance, remnants such as spool files from printing, temp
files from applications, date-time stamp and user ids from other systems
provide more picture of what is occurring in the system.
UNIX was specifically designed with networking in mind and Internet
traces analyses are rich sources of evidences for the examiner. Web browsers
such as Mozilla Firefox store and provide information on Web browsing. UNIX
system generally stores e-mails under the home directory of each user, making
them easier to access for the examiner.
As UNIX systems are configure to store, log and print user data on
remote systems, network traces are easily found and are valuable information
leading to further digital evidences.
Tools like The Coroner’s Toolkit
(TCT) are mainly designed to help in forensic examinations are executed in most
UNUX/Linux Operating Systems. The Coroner’s Toolkit has a collection of
applications and is one the most frequently used toolkit by forensic examiners
(Wiles & Reyes, 2007). Moreover, tools like Sleuth Kit and SMART provide a
GUI (graphical user interface) simplifying the examination process in UNIX.
Challenges in UNIX Forensics
One of main challenges for the
digital investigator is dealing with password protection and encryption.
Attempt to break encryptions within UNUX systems is rarely effective,
especially for strong encryptions. Attempts require significant time and effort
as well as taking advantages of weaknesses in the implementation of the
encryption program. To crack passwords, we need tools like Crack and jack the
Ripper can be used to attempt guessing password entries in UNIX. Proper
collection and examination of digital evidences needs familiarity of any
computer system. The complexity and existence of a large number of UNIX systems
calls for special trainings and education of the examiners in the UNIX
administration (all aspect of the UNIX system) and security features. Being
prevalent in the internet, UNIX systems are vulnerable to network-borne
attacks, especially to Advanced Pertinent Threats (APTs), a cybercrime focusing
more on espionage (University of Maryland University College, 2012). The
continuous emergence of new malwares and the lack of robust detection and prevention
systems in UNIX environment call for the need of malware analyses as part of
digital forensic examination.
Digital Evidences in Mobile Devices OS
Mobile devices such as cell phones
and smart phones have become an integral part of peoples’ daily lives. And
their popularity is increasing the digital world. These devices are also being
used in facilitating crimes or otherwise being involved whenever crime occur.
As a result, they are becoming sources of digital evidences. Valuable Personal
information like as pictures, e-mails, addresses and other useful data such as
specific time where individual were and with whom they contacting can be
collected from those devices.
There are various types of mobiles
and smartphones made by several manufactures. And each kind of smartphone and
mobile device has a different operating system. The standard operating systems
for portable devices include iPhone’s iOS, Palm OS and Palm webOS, Nokia’s
Symbian, Window’s propriety OS developed by Microsoft and Android’s open source
OS developed by Google. While few devices (iphone and Blackberry) centralize
distribution of software, most other portable devices allow and encourage
independent applications on their platform. From the forensic examiners view
point these all complicates the tasks of forensic analyses. And he need and
efforts for developing tools and techniques of forensic examination have been
growing.
Forensic Analysis Tools for Mobile Devices
Despite the growing challenge,
there are a growing number of commercial forensic tools that provide evidence
acquisition and analysis capabilities for these devices. These include UFUD,
MicroSystemation XRY, LogicubeCellDEK and MOBILedit! Forensic Software
(University of Maryland University College, 2012). Cellebrite's Universal
Forensic Extraction Device (UFED) is used to extract evidences physically from
the devices using cables and USB memory sticks. MicroSystemation XRY acquires
forensic information logically via infrared technology, Bluetooth and USB.
LogicubeCellDEK allows only logical data acquisition but with capability of
identifying the type of devices based on brand name, model number, dimensions.
The forensic software MOBILedit! Uses cables to extract physical forensic data
from the device and it generate forensic report.
Challenges in Mobile Devices
Forensics
The speedy way in which these
mobile devices come, go, and grow presents unique challenges for the forensic
examiner. By the time forensic collection and analysis procedures become
available for many of these devices, the devices may have been out of date or
evolved into a completely different architecture (Brown, 2010). Mobile devices
unique characteristics such as overall design, their size and specific
components pose challenges to investigators during every phase of the computer
forensics process. More important, the existence of various operating systems
poses challenges to forensic tools and examiners in extracting digital
evidences. Mobile devices systems are a challenging source of evidence because
the data on them is volatile and different tools are needed to process
different devices. Finally, limited current forensic tools and training in the
area are of mobile forensics need more attention.
Prioritization of Digital Evidences terms of usefulness
Network Intrusion
A network intrusion can be any use
of a network that compromises its stability or the security of information
which is stored in a computer connected to the network. It maybe any attempt to
gaining unauthorized access to file or privileges. It maybe any effort to
destabilize the system as a whole or unauthorized use of software. While
intrusion detection help detect attacks, network forensic involves “discovering
and retrieving evidential information in a networked environment about a crime
in such a way as to make it admissible to court” (Vacca, 2009). Network
forensic uses log files to determine when users logged on, which URL user
accessed and how they logged into the network. It also tries to determine what
tracks or new file are left behind. Network forensics requires not only making
a forensic image of a compromised drive, but also an image containing for
applications used (Nelson et al, 2010). Live acquisitions are especially useful
in when dealing with network intrusions. I believe Mac computer systems used by
suspects are most useful in network forensic evidence, next being Unix OS
followed by Mobile devices OS and Windows OS.
Sources
of digital evidences
|
Network Intrusion
|
Malware Installation
|
Insider file deletion
|
Windows OS
|
3rd
|
2nd
|
1st
|
Macintosh OS
|
1st
|
3rd
|
2nd
|
UNIX OS
|
2nd
|
1st
|
3rd
|
Mobile Devices OS
|
3rd
|
4th
|
4th
|
Table: Prioritization of Digital Evidences in Terms of Usage
Malware Installation
The absence of robust malware
detection systems in Linux/UNIX system make it vulnerable for new and more
sophisticated malware. UNIX systems are
also susceptible to network-borne attacks like APTs. That makes UNIX OS the
most useful digital evidence source in terms of malware installation. Windows
systems are also the most widely used systems and often attacked. Windows OS is
the next useful source of digital evidence followed by MacOS and Mobile OS.
Insider file deletion
Computer forensic deals
with the task of recovering data that users have deleted or hidden so that the
recovered data may be used as evidence. The investigator searches the storage
media and if they find data, he put the pieces together to produce evidences.
In data recovery, Windows OS with its capability of data registry, log file and
date-stamp is the most useful. UNIX OS is very useful followed by UNIX OS and
Mobile Devices OS.
Conclusions
Digital investigator will encounter
different computer operating systems as sources of digital evidences. An in
depth understanding of computer Operating system (OS) helps a digital forensic
investigator understand the basic function of the device and dig more into the
data to be examined. The paper discussed four different Operating Systems as
potential source of digital evidences – Windows, Mac, Unix OS and Mobile
device’s OS. While Windows OS dominated the computer market and the forensic
environment, the user friendly nature of MacOS increasing its uses and getting
attention of investigators. UNIX OS is not only becoming an important sources
of digital evidence, but also an excellent platform of forensic examination.
Inbuilt features like file system, logs and file system-traces help the
investigator recover hidden or deleted data. Despite continuous challenges,
several forensic tools and technique are being used in the acquisition and
examination of digital evidences. The existence of enormous type of OS,
uniqueness in design, and volatile nature of their data makes mobile devices
the most challenging sources of digital evidences.
References:
Atheide, C. & Casey, E. (2009).
UNIX forensic analysis. In E. Casey (Ed.), Handbook of digital forensics and investigation
(pp. 301-351). Burlington, MA: Elsevier Academic Press.
2010). Computer evidence: collection and preservation, second
edition. Retrieved from ( http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=33937
Casey, E. & Turnbull, B. (2011). Digital Evidence on
Mobile Devices. In Digital evidence and
computer
crime: Forensic science,
computers, and the Internet (3rd ed.)retrieved from
Kokocinski, A. (2009). Macintosh
forensic analysis. In E. Casey (Ed.), Handbook of digital forensics and investigation
(pp. 353-382). Burlington, MA: Elsevier Academic Press.
Mee, V., Tryfonas, T., &
Sutherland, I. (2006). The Windows Registry as a forensic artifact:
Illustrating
evidence collection for Internet usage. Digital Investigation, 3(3), 166-173.
Retrieved from
www.elsevier.com/locate/diin.
Pittman, R. D. & Shaver, D.
(2009). Windows forensic analysis. In E. Casey (Ed.), Handbook of digital
forensics
and investigation (pp. 209-300). Burlington, MA: Elsevier Academic Press.
(2006). Windows forensics: the field guide for corporate
computer investigations. Retrieved
University of Maryland University
College. (2012). Forensic analyses of Operating Systems, Module 6. Retrieved from http://tychousa11.umuc.edu/CSEC650/1202/9040/class.nsf/Menu?OpenFrameSet&Login
2009). Computer and information security handbook. Retrieved
from
2007). The
best damn cybercrime and digital forensics book period. Retrieved from & http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=25452.